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Abstract. We present a deterministic 2°^q T=T+ °^ algorithm to decide whether a uni- 
variate polynomial /, with exactly t monomial terms and degree < q, has a root in ¥ q . A 
corollary of our method — the first with complexity sub-linear in q when t is fixed — is that 
the nonzero roots in ¥ q can be partitioned into no more than 2\Jt — l(q — cosets of 

two proper subgroups S\ C S2 of F* . Another corollary is the first deterministic sub- linear 
algorithm for detecting common degree one factors of fc-tuples of ^-normals in ¥ q [x] when k 
' and t are fixed. 

, When t is not fixed we show that each of the following problems is NP-hard with respect 

?H ' to BPP-reductions, even when p is prime: 

Oh 1 • detecting roots in ¥ p for / 

"^h ' • deciding whether the square of a degree one polynomial in ¥ p [x] divides / 

• deciding whether the square of a degree one polynomial in ¥ p [x] divides / 

• deciding whether the gcd of two i-nomials in ¥ p [x] has positive degree 
Finally, we prove that if the complexity of root detection is sub-linear (in a refined sense), 

^ 1 ' relative to the straight-line program encoding, then NEXP^P/poly. 
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1. Introduction 



The solvability of univariate sparse polynomials is a fundamental problem in computer 
algebra, and an important precursor to deep questions in polynomial system solving and 
circuit complexity. Cucker, Koiran, and Smale |CKS99j found a polynomial-time algorithm 
to find all integer roots of a univariate polynomial / in Z[x] with exactly t terms, i.e., a 
univariate t-nomial. Shortly afterward, H. W. Lenstra, Jr. |Len99] gave a polynomial-time 
algorithm to compute all factors of fixed degree over an algebraic extension of Q of fixed 
degree (and thereby all rational roots). Independently, Kaltofen and Koiran |KK05] and 
Avendano, Krick, and Sombra |AKS07j extended this to finding bounded-degree factors of 
sparse polynomials in Q[x, y] in polynomial-time. Unlike the famous LLL factoring algorithm 
|LLL82j . the complexity for the algorithms from |CKS99l ILen99l IKK051 IAKS07] was relative 
to the sparse encoding (cf. Definition 12.11 of Section [2] below) and thus polynomial in t + logdeg/. 

Changing the ground field dramatically changes the complexity. For instance, while 
polynomial-time algorithms are now known for detecting real roots for trinomials in Z[x] 
[RY05t IBRS09j . no polynomial-time algorithm is known for tetranomials |BHPRll] . Also, 
detecting p-adic rational roots for trinomials in Z[x] was only recently shown to lie in NP 
(for fixed p), as was NP-hardness with respect to ZPP- reductions for t-nomials when neither 
t nor p are fixed |A1RR12[ Thm. 1.4 & Cor. 1.5]. 

Here, we focus on the complexity of detecting solutions of univariate t-nomials over finite 
fields. 

1.1. Main Results and Related Work. While deciding the existence of a d— root of an 
element of the g-element field ¥ q is doable in time polynomial in log(rf)+log q (see, e.g., |BS96[ 
Thms. 5.6.2 & 5.7.2, pg. 109]), detecting roots for a trinomial equation a + bx d ° + cx d = 
with d > do > within time sub-linear in d and q is already a mystery. (Erich Kaltofen 
and David A. Cox independently asked about such polynomial-time algorithms around 2003 
[Kal03l ICox04] .) We make progress on a natural extension of this question. In what follows, 
we use IS"! for the cardinality of a set S. 

Theorem 1.1. Given any univariate t-nomial 

f{x):=a + c 2 x a2 + c 3 x a3 + ■■■ + c t x at E ¥ q [x] 

with degree < q, we can decide, within 4*(t log q)°^ + deterministic bit 

operations, whether f has a root in ¥ q . Moreover, letting S := gcd(g — l,ei2, . . . , at) and 

T) := \/t — 1 (^-) t ~ 1 , the entire set of nonzero roots of f in ¥ q is a union of at most 2r\ 

t-2 1 

cosets of two proper subgroups Si C S 2 of¥*, where \Si\—6 and < l^l < In 

particular, the number of nonzero roots of f is no more than max |25?7, ■ ^-|- 

The degree assumption is natural since x q = x in F 9 [x]. Note also that deciding whether an 
/ as above has a root in ¥ q via brute-force search takes q l+ °^ bit operations, assuming t is 
fixed. 

Our first main result thus includes a finite field analogue of Descartes' Rule |SL54j . (The 
latter result implies an upper bound of 2t — 1 for the number of real roots of a real uni- 
variate t-nomial.) More to the point, Theorem 11.11 provides new structural and algorithmic 
information, complementing an earlier finite field analogue of Descartes' Rule |CFKLLS00[ 
Lemma 7]. Theorem II .11 can also be thought of as a refined, positive characteristic analogue 
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of results of Tao and Meshulam |Tao05t IMes06j bounding the number of complex roots of 
unity at which a sparse polynomial can vanish (a.k.a. uncertainty inequalities over finite 
groups). 

Note that if we pick a 2 , ■ ■ ■ , a t uniformly randomly in {— M, . . . , M} then, as M — > 00, 
the probability that gcd(a2, • ■ ■ ,a t ) = l approaches l/((t— 1) (see, e.g., |Chr56j ). The latter 
quantity increases from 4^0.6079 to 1 as t goes from 3 to 00. Our theorem thus implies 
that, with "high" probability, the rational roots of a sparse polynomial over a finite field 
can be divided into two components: one component consisting of few isolated roots, and 
the other component consisting of few cosets of a (potentially large) subgroup of F*. Put 
another way, if the number of the rational roots of a sparse polynomial is close to its degree, 
then the set of the roots must exhibit a strong multiplicative structure. 

Since detecting roots over ¥ q is the same as detecting linear factors of polynomials in 
¥ q [x], it is natural to ask about the complexity of factoring sparse polynomials over ¥ q [x}. 
The asymptotically fastest randomized algorithm for factoring arbitrary JsF 9 [x] of degree 
d uses 0(d 15 + d 1+ °^ logg) arithmetic operations in ¥ q |KUllj . but no complexity bound 
polynomial in t + log(<i) + logg is known. (See |Ber70t ICZ814 IKS98j IUma08] for some 
important milestones, and |GP014 IKal03t lvzGat06] for an extensive survey on factoring.) 
However, to detect roots in ¥ q , we don't need the full power of factoring: we need only 
decide whether gcd(x q — x, f(x)) has positive degree. Indeed, a consequence of our first main 
result is a speed-up for a variant of the latter decision problem. 

Corollary 1.2. Given any univariate t-nomials fx, . . . , fk E¥ q [x], we can decide if fx, ■ ■ ■ , fk 
have a common degree one factor in ¥ q [x] via a deterministic algorithm with complexity 

4*-*(fa l ogg )0(i) + k {kVt) 1+o{l) g^^r 1 ^ 1 ). 

Corollary 11.21 appears to give the first sub-linear algorithm for detecting roots of /c-tuples of 
univariate t-nomials for k and t fixed. 

Remark 1.3. It is important to note that the k = 2 case is not the same as deciding whether 
the gcd of two general polynomials has positive degree: the latter problem is the same as 
detecting common factors of arbitrary degree, or degree one factors over an extension field. 
Finding an algorithm for the latter problem with complexity sub-linear in q is already an open 
problem for k = 2 andt>3: see |EP05j . and Theorem \1.5\ and Remark \l.l\ below, o 

One reason why it is challenging to attain complexity sub-linear in q is that detecting 
roots in ¥ q for t-nomials is NP-hard when t is not fixed, even restricting to one variable and 
prime q. 

Theorem 1.4. Suppose that, for any input (f,p) with p a prime and f e¥ p [x] a t-nomial of 
degree < p, one could decide whether f has a root in ¥ p within BPP, using t + logp as the 
underlying input size. Then NPCBPP. 

The least n making root detection in F™ be NP-hard for polynomials in ¥ p [xx, ■ ■ ■ ,x n ] (for 
p prime, and relative to the sparse encoding) appears to have been unknown. Theorem 11.41 
thus comes close to settling this problem. Theorem 11.41 also complements an earlier result of 
Kipnis and Shamir proving NP-hardness for detecting roots of univariate sparse polynomials 
over fields of the form ¥ 2 i |KiSha99"] . Furthermore, Theorem 11.41 improves another recent 
NP-hardness result where the underlying input size was instead the (smaller) straight-line 
program complexity |CHWll] . 



SUB-LINEAR ROOT DETECTION OVER FINITE FIELDS 



3 



Let ¥ q denote the algebraic closure of ¥ q . A consequence of our last complexity lower 
bound is the hardness of detecting degenerate roots over ¥ p and ¥ q : 

Theorem 1.5. Consider the following two problems, each with input (f,p) where p is a 
prime and /gF p [i] is a t-nomial of degree < p. 

(1) Decide whether f is divisible by the square of a degree one polynomial in ¥ p [x}. 

(2) Decide whether f is divisible by the square of a degree one polynomial in ¥ p [x]. 
Then, using t + logp as the underlying input size, each of these problems is NP-hard with 
respect to BPP -reductions. 

The NP-hardness of both problems had been previously unknown. Theorem 11.51 thus im- 
proves |KaShp99 , Cor. 2] where NP-hardness (with respect to BPP-reductions) was proved 



for the harder variant of Problem (2) where one expands the allowable inputs to polynomials 
in ¥ p [x}. 

Remark 1.6. Note that detecting a degenerate root for f is the same as detecting a common 
degree one factor of f and at least when deg / is less than the characteristic of the field. 
So an immediate consequence of Theorem 11.51 is that detecting common degree one factors 
in ¥ p [x] (resp. ¥ p [x\) for pairs of polynomials in ¥ p [x] is NP-hard with respect to BPP- 
reductions. We thus also strengthen earlier work proving similar complexity lower bounds for 
detecting common degree one factors in ¥ q [x] (resp. ¥ q [x}) [vzGKS96, Thm. 4.11]. o 

Remark 1.7. It should be noted that Problem (2) is equivalent to deciding the vanishing 
of univariate ^-discriminants (see |GKZ94[ Ch. 12, pp. 403-408] and Definitions \2. 6\ and 
\2.8\ of Section [Ol below). While Lemma \4-3\ of Appendix A tells us that the trinomial case 
of Problem (2) can be done in P , we are unaware of any other speed-ups for fixed t. In 
particular, it follows immediately from Theorem \1.5\ that deciding the vanishing of univariate 
resultants (see, e.g., |GKZ94l Ch. 12, Sec. 1, pp. 397-402] and Definition^ of Section\EM 
below), over¥ p [x], is also NP-hard with respect to BPP-reductions. o 

Our final result is a complexity separation depending on a weak tractability assumption 
for detecting roots of univariate polynomials given as straight-line programs (SLPs). 

Theorem 1.8. Suppose that, given any straight-line program of size L representing a poly- 
nomial f E ¥ 2 e[x], we could decide if f has a root in ¥ 2 e within time iP^I 1- ^^ . Then 
NEXP^P/poly 

One should recall that NEXP CP/poly NEXP = MA jlKWOl] . So the conditional 
assertion of our last theorem indeed implies a new separation of complexity classes. It may 
actually be the case that there is no algorithm for detecting roots in ¥ 2 e better than brute- 
force search. Such a result would be in line with the Exponential Time Hypothesis |IP01] 
and the widely-held belief in the cryptographic community that the only way to break a 
well-designed block cipher is by exhaustive search. 

1.2. Highlights of Main Techniques. The key new advance needed to attain our speed- 
ups is a method, based on the Shortest Vector Problem (SVP) for a lattice basis (see |MV10] 
and Section l2~Tj) . to lower the degree of any sparse polynomial in ¥ q [x] to a power of q strictly 
less than 1 while still preserving solvability over ¥ q . 

Lemma 1.9. Given integers a\, ■ • • ,a t ,N satisfying < ai < ■■■ < a t < N and 
gcd(iV, ai, • • • , at) — 1, one can find, within A l {t log N) ^ bit operations, an integer e with 
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the following property for all i€{l, . . . , t}: ifmi&{ — [N/2\ , . . . , \N/2\ } is the unique integer 
congruent to ea>i mod N then \rrii \ ^y/tN 1 ^ 1 . 

We prove this lemma in Section l2~Tj and show how the lemma can be applied to the exponents 
of a sparse polynomial to yield Theorem II .11 in Section I3~T1 Corollary ll.2l is proved in Section 

Example 1.10. Consider any polynomial of the form 

f(x)=c 1 + c 2 x + c 3 x 220 ° +26 + c 4 x 220 ° +27 eFjx] 

where 

g: = 6(2 200 + 26) + 1 = 9641628265553941653251772554046975615133217962696757011808413 
(which is a 61-digit prime) and C1C4 7^ 0. Considering the lattice generated by the vectors 
(l,2 200 + 26 , 2 200 + 27),(g-l,0,0),(0,g-l,0),(0,0,g-l) ; it is not hard to see that (6,0,6) 
is a minimal length vector in this lattice. Moreover, 6-1 = 6, 6(2 200 + 26) = 0, 6(2 200 + 27) = 6 
mod q — 1. Letting a be any generator of F* it is clear that any x G F* can be written as 

x = a l z for some i G {0, . . . , 5} and z G F* satisfying zV" = 1. So then, we see that solving 
f(x) — is equivalent to finding an i G {0, . . . , 5} and a z G F* with 

( Cl + C3a (2 2 -+26)^ + ^ = 3*^-1 = 0.O 

Recall that any Boolean expression of one of the following forms: 

(0) Vi V Vj V y k , ^yi V y d V y k , -.^ V V y k , V V ^y k , with i, j, k G [3n], 
is a 3CNFSAT clause. A satisfying assigment for an arbitrary Boolean formula B(yi, . . . ,y n ) 
is an assigment of values from {0, 1} to the variables yi, ■ ■ ■ ,y n which makes the equality 
B(y u ...,y n ) = l truefl 

A key construction behind the proofs of Theorems 11.41 and 11.51 in Section H] is a highly 
structured randomized reduction from 3CNFSAT to detecting roots of univariate polynomial 
systems over finite fields. In particular, the finite fields arising in this reduction have car- 
dinality coming from a very particular family of prime numbers. (See Definition 12.11 from 
Section [2] for our definition of input size.) 

Theorem 1.11. Given any 3CNFSAT instance B(yi, ... , y n ) inn>4 variables with k clauses, 
there is a (Las Vegas) randomized polynomial-time algorithm that produces positive integers 
c,pi, ■ ■ ■ ,p n and a k-tuple of polynomials (fi, . . . , f k ) 6Z[i] with the following properties: 

(1) c>ll and log(cpi •• -p n ) =n° ( - 1 \ 

(2) pi, . . ■ ,p n is an increasing sequence of primes and p:= 1 + cp\ ■ ■ -p n is prime. 

(3) For alii, fi is monic, /j(0)^0, deg/j <pi ■ • -p n , and size(f i ) = n°( 1 \ 

(4) For all i, the mod p reduction of f\ has exactly deg/j distinct roots in ¥ p . 

(5) B has a satisfying assignment if and only if the mod p reduction of (f\, . . . , f k ) has 
a root in¥ p . ■ 

Theorem 11.111 is based on an earlier reduction of Plaisted involving complex roots of unity 
|Pla84l Sec. 3, pp. 127-129] and was refined into the form below in |A1RR121 Sees. 6.2-6.3] 
We now review some additional background necessary for our proofs. 



We respectively identify and 1 with "False" and "True" . 

2 |AIRR12] in fact contains a version of Theorem 1 1 . 1 1 1 with c> 2, but c> 11 can be attained by a trivial 
modification of the proof there. 
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2. Background 

Our main notion of input size essentially reduces to how long it takes to write down 
monomial term expansions, a.k.a. the sparse encoding. 

Definition 2.1. For any polynomial /gZ[xi, . . . ,x n ] written f(x) — ^2 i=1 Cix" 1 '* • • ■in"'", we 
define size(/) := Ya=i lo g2 [( 2 + NX 2 + |ai,i|) • • • ( 2 + \ a n,i\)}- Also > when F '■= (fu fk), 
we define size(F) : = ^^ =1 size(/j). 







The definition above is also sometimes known as the sparse size of a polynomial. Note that 
size(c) = 0(log |c|) for any integer c. 

A useful fact, easily obtainable from the famous Schwartz-Zippel Lemma is that systems of 
univariate polynomial equations can, at the expense of some randomization, be reduced to 
pairs of univariate equations. (See Appendix A for the proof and [GH93] for a multivariate 
version.) 

Lemma 2.2. Given any prime power q and /i, •••,/& £ F g [a;], let Z(fi, . . . , fk) denote the 
set of solutions of f\ = ■ ■ ■ = fk = in ¥ q . Also let d := maxj deg /j. Then at least a fraction 
°f 1 - i of the (u 2 , ■ u k )e¥^ 1 satisfy Z(f ± , f k ) = Z(fi, u 2 f 2 + --- + u h f } 



A' i 



Remark 2.3. For this lemma to yield a high-probability reduction from k x 1 systems to 
2x1 systems, we will of course need to assume that d is a small constant fraction of q. This 
will indeed be the case in our upcoming applications since we will be combining the lemma 
with Theorem \l.ll\ and Assertions (l)-(3) of the theorem force d<jj (with q = p a prime), o 

Let us now observe the following complexity bound for root detection for (not necessarily 
sparse) polynomials over finite fields. 

Proposition 2.4. Given any polynomial f E¥ q [x] of degree d and N\(q — 1), we can decide 
within <f L+0 W(logg) 2+0( - 1 ) deterministic bit operations whether f has a root in the order N 
subgroup of¥*. ■ 

Since detecting roots for / as above is the same as deciding whether gcd(x N — l,f(x)) 
has positive degree, the complexity bound above can be attained as follows: compute 
r(x) : = x N mod f(x) via recursive squaring [BS961 Thm. 5.4.1, pg. 103], and then compute 
gcd(r(x) — l,f(x)) in time d 1+0 ( 1 )(logg) 1+0( - 1 ) via the Knuth-Schonhage algorithm |BCS97[ 
Ch. 3]. 

2.1. Geometry of Numbers for Speed-Ups. Recall that a lattice in IR m is the set 

£(bi, . . . , bd) = | Yl Xihi Xi G Z j- of all integral combinations of d linearly independent 

vectors b 1; . . . , bd G M m . The integers d and m are respectively called the rank and dimen- 
sion of the lattice. The determinant det(£) of the lattice £ is the volume of the d- dimensional 
parallelepiped spanned by the origin and the vectors of any Z-basis for C. Any lattice can 
be conveniently represented by a d x m matrix B, where bi,...,bd are the rows. The 
determinant of the lattice C can then be computed as det(£(B)) = A/det(BB T ). 

Let || ■ || denote the Euclidean norm on W 1 for any n. Perhaps the most famous computa- 
tional problem on lattices is the (exact) Shortest Vector Problem (SVP): Given a basis of a 
lattice C, find a non-zero vector ug£, such that ||v|| > ||u|| for any vector v G C \ 0. The 
following is a well-known upper bound on the shortest vector length in lattice L. 
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Minkowski's Theorem. Any lattice C of rank d contains a non-zero vector v with 
HvH^v^detfT/) 1 ^. ■ 



Given a lattice with rank d, the celebrated LLL algorithm |LLL82j can find, in time 
polynomial in the bit-size of a given basis for £, a vector whose length is at most 2 a times 
the length of the shortest nonzero vector in C. An algorithm with arithmetic complexity 
d°^4: d , proposed in [MVlOt Sec. 5] by Micciancio and Voulgaris, is currently the fastest 



deterministic algorithm for solving SVP. (See Ngull for a survey of other SVP algorithms.) 

Let us now prepare for our degree-lowering tricks. First, we construct the lattice L spanned 
by the rows of matrix B, where 



B 



~ai 


a 2 ■ ■ 


• ai 


N 


■■ 


■ 





N ■■ 


• 






. 


.0 


■• 





Letting v := (mi, m 2 , ■ 
an integer e such that ea\ 



be the shortest vector of lattice £, there then clearly exists 
nil, . . . ,ea t = m t mod N. (In fact, e is merely the coeffi- 
cient of (ai, . . . , a t ) in the underlying linear combination defining v.) Most importantly, the 
factorization of det(£) is rather restricted when the are relatively prime. 



Lemma 2.5. 7/gcd(A r , ai, 



1 then det(£)|iV 



t-i 



Proof: Let denote the sublattice of C generated by all rows of B save the i— row. Clearly 
then, det(£)| det(£j) for all i. Moreover, we have det(£!) = N f and, via minor expansion 
from the i— column of B, we have det(£ i+ i) =a i A r ' _1 for all i . . . , t}. So det(£) divides 
aiN l ~ l , . . . , atN 1 " 1 and we are done. ■ 

We are now ready to prove Lemma 11.91 



Proof of Lemma II. 9t From Lemma [2.51 and Minkowski's theorem, there exists a shortest 
vector v of £ satisfying ||v|| < y/tN 1 ^ 1 . By invoking the exact SVP algorithm from [MV10] 
we can then find the shortest vector v in time A l {t log iV) ^). Let v := (m 1 , . . . , m t ). Clearly, 
by shortness, we may assume |mj| <N/2 for alH e {1, . . . , t}. (Otherwise, we would be able 
to reduce m^ in absolute value by subtracting a suitable row of the matrix B from v.) Also, 
by construction, there is an e such that ecij = m^ mod iV for all i G {1, . . . , t}. ■ 



2.2. Resultants, .4-discriminants, and Square-Freeness. Let us first recall the classical 
univariate resultant. 



Definition 2.6. (See, e.g., |GKZ94l Ch. 12, Sec. 1, pp. 397-402].; Suppose 
f(x) — ao + ■ ■ ■ + OdX d and g(x) = b + ■ ■ ■ + bd'X d are polynomials with indeterminate 
coefficients. We define their Sylvester matrix to be the (d + d') x (d + d') matrix 
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<S(d,d>)(f,g)- 



ao ■ ■ 


ad 


■ 


■ 0" 


\ 


•■ 


■ 


a ■ 


■ a d 


) 


b ■■ 


• b d > 


■ 


■ 


i 


•■ 


■ 


bo ■ 


■ b d <_ 





d' rows 



d rows 



and their Sylvester resultant to be Res^d,d')(f,g)'- = detS^,d')(f,g)- ° 

Lemma 2.7. Following the notation of Definition \2. b\ assume f, g£K[x] for some field K, 
and that a d and b d > are not both 0. Then f = g = has a root in the algebraic closure of K if 
and only if~Res(d,d')(f,g) = Q- More precisely, we have Res^/) (f,g) = a d g(() where the 



/(C)=o 



product counts multiplicity. ■ 

The lem ma is classical: see, e.g., [GKZ94| Ch. 12, Sec. 1, pp. 397-402], [RS021 pg. 9], and 
[BPR061 Thm. 4.16, pg. 107] for a more modern treatment. 
We may now define a refinement of the classical discriminant. 



Definition 2.8. (See also [GKZ941 Ch. 12, pp. 403-408].; Let A := {a u . . 

and f(x):= Yll=i Q^ ai , where < a± < ■ ■ ■ <a t and the Ci are indeterminates. 
the ^4-discriminant off, A^lf), to be 



,<Jt}cNU {0} 
We then define 



Res 



(at,at—a,2) 



J ' dx , 



X 



a 2 — 1 



at—at-i 



where a,- : = 



ai)/g for alii, f(x) : = J2i=i CiX ai , and g :=gcd(a2 — a±, 



at - ai 



o 



Remark 2.9. Note that when A = {0, . . . , d} we have A^(/) =Res( d ,d-i)(f, f')/ c d, i.e., for 
dense polynomials, the A- discriminant agrees with the classical discriminant, o 

Lemma 2.10. Suppose p is any prime and f,g G ¥ p [x] are relatively prime polynomials 
satisfying /(0)g(0) ^ 0, d := degg > deg / , and p > d. Then the polynomial f + ag is 
square-free for at least a fraction of 1 — ==I f the a€F p . 

Remark 2.11. Just as for Lemma \2.2\ we will need to assume that d is a small constant 
fraction of q for Lemma \2.10\ to be useful. This will indeed be the case in our upcoming 
applications since the setting will be the polynomials coming from Theorem \1.11\ and 
Assertions (l)-(3) of the theorem force 2d — 1 < ^p (with q=p a prime), o 

A stronger assertion, satisfied on a much smaller set of a, was observed earlier in the proof 
of Theorem 1 of |KaShp99~] . For our purposes, easily finding an a with / + ag square-free 
will be crucial. We prove Lemma [2.101 in Appendix B. 

3. Faster Root Detection: Proving Theorem 11.11 and Corollary 11.21 

3.1. Proving Theorem 11.11 Before proving Theorem II. 1[ let us first prove a result that 
will in fact enable sub-linear root detection in arbitrary subgroups of F*. 

Lemma 3.1. Given a finite field ¥ q and the polynomials 

(-k-k-k) x N — 1 and Ci + c 2 x a2 + • • • + c t x at , 

in ¥ q [x] with <a 2 < ■ ■ ■ < a t < N, gcd(iV, a 2 , ■ ■ ■ , at) — 1? Q^O for all i, and N\(q— 1), there 
exists a deterministic q 1/4 (\ogq)° {1) +4\tlogN)° w +U + ° w N^ +o{1) (logq) 2+ °^ ) algorithm 
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to decide whether these two polynomials share a root in ¥ q . Furthermore, for some 8'\N with 
8' <\/t — INt^ and 7 G{1, . . . ,$'}, the roots of lie in the union of a set of cardinality 

27V t — 1N~ 1 8' and the union of 6' — 7 cosets of a subgroup ofF* of order N/5' . 

Proof of Lemma I3.lt By Lemma 11.91 we can find an integer e such that, if 7712, . . . ,m t 
are the unique integers in the range [— [N/2\ , [A^/2]] respectively congruent to ea 2 , . . . , ea t , 

then \rm\ < Vt - 1N*=% for each i< E{2, . t}. Thanks to [MV10] . this takes 4*(tlogiV) 0(1) 
deterministic bit operations. By |Shp96| , we can then find a generator o of F* within 
g 1//4 (logg) 0(1 ) bit operations. For any tgF*, let (r) denote the multiplicative subgroup of 
F* generated by r. 

Now, x N — 1 vanishing is the same as x G (c 2 ^) since N\(q — 1). Let (n '■= o' 3 ^~ and 
define 8' := gcd(e,A r ). If 8' — 1 then the map from ((jv) to given by x H- x e is 
one-to-one. So finding a solution for (* * *•) is equivalent to finding x G (Cn) such that 
ci + C2X ea2 + • • • + CtX eat = 0. Thanks to Lemma 11.91 the last equation can be rewritten as 
the lower degree equation c\ + c 2 x m2 + ■ ■ ■ + c t x mt = 0, and we may conclude our proof by 
applying Proposition 12 .41 

However, we may have 8'>1. In which case, the map from to ((n) given by x H- x e 
is no longer one-to-one. Instead, it sends {(n) to a smaller subgroup (C S n) of order N/5'. We 
first bound 8': re-ordering monomials if necessary, we may assume that ni2 7^ 0. We then 
obtain 

cT = gcd(e,iV)<gcd(ea2, A0=gcd(m 2 , A^)<|m 2 | < y/t - IN^ . 
Any element x G (Cat) can be written as Q N z for some i G {0, . . . , 8' — 1} and z G (Cn)- 
It is then clear that x N — 1 = c\ + C2X a2 + ■ ■ ■ + ctx at = has a root in F* if and only if 

there is an i G {0, . . . , 8' - 1} and a z G (<$) with ci + c 2 (C N z) a2 H h c t (( N z) at = 0. 

Now, gcd (e/8', N/8') = 1. So the map from (( N ) to (( N ) given by x H- x 6//<5 is one-to-one. 
By the definition of the rrii, (* * having a solution is thus equivalent to there being an 
% G {0, . . . , 8' - 1} and a z G (<$) with Cl + c 2 Q 2 ^ mt / <5 ' + • • • + QQ^ mt/5 ' = 0. So define the 
Laurent polynomial 

fi(z) :=ci + c 2 (a) a ^ m2/5 ' + • ■ ■ + Q(a) at ^ mt/5 ' 
If /, is identically zero then we have found a whole set of solutions for (★★★): the coset 
Cn((n)- ^ fi i s n °t identically zero then let £ := mim min (rrii /8', 0). The polynomial 
z~ l fi{z) then has degree bounded from above by 2y/t — 1N~ /8'. Deciding whether the 
pair of equations 

Z N/S> _ 1 = z -i 

fi(z) = has a solution for some i takes deterministic time 

/ i-2 \ i+ol 1 ) 

8' (y/t - \N~/8'\ (logg) 2+o(1) , applying Proposition El 5' times. 

The final statement characterizing the set of solutions to (* * *) then follows immediately 
upon defining 7 to be the number of i G {0, . . . , 8' — 1} such that /j is not identically zero. In 
particular, 7 > 1 since deg f <N and thus / is not identically zero on the order N subgroup 
ofF*. ■ 

Remark 3.2. Via fast randomized factoring, we can also pick out a representative from each 
coset of roots within essentially the same time bound. Note also that it is possible for some 
of the Laurent polynomials fi to vanish identically: the polynomial 1 + x — x 2 — x 3 and the 
prime q — 13, obtained by mimicking Example \ l.lb\ provide one such example (with 8' — 6 
and 7 = 1/ o 
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We are now ready to prove our first main theorem. 
Proof of Theorem ll.lt Let 5: = gcd(g — 1, a 2 , . . . , a t ) and y = x s . Then the solvability of 
/ is equivalent to the solvability of the following system of equations: 

ci + c 2 y a2/s H h c t y at/s = 

Since gcd(^ L , . . . , y, = 1, we can solve this problem via Lemma 13.11 (with N = ^-), 

within the stated time bound. (Note that q 1 ^ < q~ for all t > 3. Also, the computation 
of gcd(g — 1, 02, ... , a t ) is dominated by the other steps of the algorithm underlying Lemma 
13.11 ) Also, since y 3 ^- = 1, each solution y of the preceding 2x1 system induces exactly 5 
roots of / in ¥ q . So we can indeed efficiently detect roots of /, and the second assertion of 
Lemma 13.11 gives us the stated characterization of the roots of /. In particular, S2 is the 
unique order subgroup of F* (following the notation of the proof of Lemma [3TT|) . 

The final upper bound then follows easily from computing the maximal cardinality of the 
resulting union of cosets, for the cases 7 G {1, 97} (following the notation of the proof of 
Lemma 13. ip . In particular, cosets of £2 do not appear when 5' = 1, and when 5' > 1 we 
clearly have | S2 1 < ■ ' 

3.2. The Proof of Corollary 11.21 Deciding whether is a root of all the fi is trivial, so 

let us divide all the fi by a suitable power of x so that all the fi have a nonzero constant 

term. Next, concatenate all the nonzero exponents of the fi into a single vector of length 

T < k{t — 1). Applying Lemma 11.9} and repeating our power substitution trick from our 

proof of Theorem ll.lt we can then reduce to the case where each fi has degree at most 

2 v / Tg 1 " T_1 , at the expense of 4 T (Tlogg)°( 1 - 1 deterministic bit operations. 

At this stage, we then simply compute g(x) := ((• • • (gcd(gcd(/i, f^), ^3), ■ ■ •), fk) via k — 1 

applications of the Knuth-Schonhage algorithm |BCS97t Ch. 3]. This takes 

/ ,— ,\ 1+0(1) 
(k - 1) (2y/Tq 1 - T ) (log q) 1+ °^ 

deterministic bit operations. We then conclude via Proposition 12 .41 at a cost of 




W big operations. 



Summing the complexities of our steps, we arrive at our stated complexity bound. ■ 

4. Hardness in One Variable: Proving Theorems 11.41 11.51 and 11.81 

4.1. The Proof of Theorem II .41 Thanks to Theorem 1 1 . 1 1 1 we obtain an immediate ZPP- 
reduction from 3CNFSAT to the detection of roots in ¥ p for systems of univariate polynomials 
in F p [x]. By Lemma [2.21 and Remark 12.31 we then obtain a BPP-reduction to 2 x 1 systems. 
Let us now describe a ZPP-reduction from 2x1 systems to 1 x 1 systems. 

Suppose % G F g is a quadratic non-residue. Clearly, the only root in F^ of the quadratic 
form x 2 — xy 2 is (0,0). So we can decide the solvability of fi(x) = fiix) = over ¥ q by 
deciding the solvability of f\ — xfi over F g . Finding a usable x is easily done in ZPP via 
random-sampling and polynomial-time Jacobi symbol calculation (see, e.g., |BS96} Cor. 5.7.5 
& Thm. 5.9.3, pg. 110 & 113]). 

So there is indeed a BPP-reduction from 3CNFSAT to our main problem, and we are done. 

■ 

4.2. The Proof of Theorem II. 51 First note that the hardness of detecting common degree 
one factors in ¥ p [x] (or F p [a;]) for pairs of polynomials in ¥ p [x] follows immediately from 
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Theorem 11.111 and Lemma 12.21 the proof of Theorem 11.41 above already tells us that there 
is a BPP-reduction from 3CNFSAT to detecting common roots in ¥ p of pairs of polynomials 
in F p [x]. Thanks to Assertion (4) of Theorem 11.111 we also obtain a BPP-reduction to 
detecting common roots, in ¥ p instead, for pairs of polynomials in F p [x]. 

So why does this imply hardness for deciding divisibility by the square of a degree one 
polynomial in ¥ p [x] (or F p [a;])? Assume temporarily that Problem (2) is doable in BPP. 
Consider then, for any f,g&¥ p [x], the polynomial H :=(/ + ag)(f + bg) where {a,6}cF p [x] 
is a uniformly random subset of cardinality 2. Note that should / and g have a common 
factor in ¥ p [x], then H has a repeated factor in ¥ p [x\. 

On the other hand, if / and g have no common factor, then / + ag and f + bg clearly have 
no common factors. Moreover, thanks to Lemma 12.101 and Remark 12.111 the probability 
that / + ag and / + bg are both square-free — and thus H is square-free — is at least 
^1 — fl — ^~^)> assuming / and g satisfy the hypothesis of the lemma. 

In other words, to test / and g for common factors, it's enough to check square-freeness 
of H for random (a, b). 

To conclude, thanks to Theorem the pairs of polynomials arising from our BPP- 
reduction from 3CNFSAT satisfy the hypothesis of Lemma 12.101 Furthermore, thanks to 
Assertion (1) of Theorem 11.111 our success probability is at least (l — > |, so we are 
done. ■ 

4.3. Proving Theorem 11.81 We will need the following proposition, due to Ryan Williams. 

Proposition 4.1. [Willi] Assume that, for any Boolean circuit of size L, the Circuit 
Satisfiability Problem can be solved in 2 L " w(L) time. Then NEXP % P/poly. ■ 

We will also need the following lemma, which is implicit in |KiSha99] . For completeness, 
we prove Lemma [4.21 in Appendix C. 

Lemma 4.2. Given a Boolean circuit with d inputs and L gates, we can find a straight-line 
program of size for a polynomial f E¥ 2 d[x] such that the circuit is satisfied if and only 
if f has a root in ¥ 2 <i ■ 

Proof of Theorem II. 8t From Lemma 14.21 an algorithm as hypothesized in Theorem 11.81 
would imply a 2 L ~ W ( L ) algorithm for any size L instance of the Circuit Satisfiability Problem. 
By Proposition 14.11 we would then obtain NEXP <2 P/poly. ■ 
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Appendix A: The Proof of Lemma [2T2l and Trinomial Discriminants 
Let us first recall the following famous quantitative lemma. 

The Schwartz-Zippel Lemma. Suppose K is any algebraically closed field, f G K[x±, . . . , x n ] 
is a non-constant polynomial of degree d, and SC A" has cardinality N . Then f vanishes at 
no more than <iiV n_1 points of S n . ■ 

Proof of Lemma 12.21 Let h = gcd(/i, . . . , fk). It is then clear that h G Fjx], deg < d 
for all i, Z(h) = Z(f u . . . , / fc ), and Z(f ,...,£) =0. So if Z(%, u 2 % + • • • + u k ^) = then 
we clearly obtain Z(f±, Uifi + ■ ■ ■ + Ukfk) = Z(fi, . . . , fk). We may thus reduce our lemma 
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to the special case where Z(fi, . . . , fk) = by simply replacing each fi by <£. So let us now 
prove this special case. 

Consider the polynomial L{u) :=Res(/i, u 2 f 2 + - ■ -+Ukfk) GF g [it 2 , ■ ■ ■ > By construction, 
for any ^ G F g , we either have /i(C)7^0 or fi(()^0 for some i>2. In the latter case, we see 
that 1*2/2(0 + " " " + u kfk(() 7^0 when ttj = l and all other Wj are 0. So, by Lemma HTJ 
is not identically zero. By the Schwartz-Zippel Lemma, we then obtain that L(u 2 , ■ ■ ■ , u^) is 
nonzero for at least a fraction of 1 — - of the (u 2 , ■ ■ ■ , Uk) GF* -1 . Moreover, Lemma \2. 71 tells 
us that at any such point, Z(fi, u 2 f 2 + • • • + Ukfk) = 0- So we are done. ■ 

We now make a final observation about the roots of trinomials over finite fields, easily 
following from [AIRR12, Lemma 5.3]. 

Lemma 4.3. Suppose f(x) — C\ + C2X a2 + c^x 0,3 G ¥ q [x] has degree < q, A := {0,02,03}, 
< <22 < a^, and gcd(a2,as) = 1. Recall that ( 6 ¥ q is a degenerate root of f ^=>- 
/(C) = /'(C)=0. Then: 

(0) A A (f) = (a 3 - a 2 r^a?c? - (-a^d?-^. 

(1) A_4(/)t^0 <^=^> / has no degenerate roots in ¥ q . In which case, we also have 

^A{f) = — — ll /'(C) where the product ranges over the 03 distinct roots of f in ¥ q . 
Cl /(C)=o 

(2) Deciding whether f has a degenerate root in ¥ p can be done in time polynomial in 
\ogq. 

(3) If f has a degenerate root (&¥* p then (C 2 , C" 3 ) = a3 !! a2 ( — %■>% )■ ^ n particular, such a 



Appendix B: The Proof of Lemma [2.101 

For 2d — 1 > p the lemma is vacuous, so let us assume 2d — 1 < p. Note also that the 
polynomial / + ag is irreducible in ¥ p [x, a], since / and g have no common factors in F p [a?]. 
The splitting field L^¥ p (a) of f(x) + ag(x) must have degree [L : F p (a)] dividing (deg/)!. 
Since deg / <d<p, p can not divide [L : F p (a)] and thus L is a separable extension of F p (a), 
i.e., / + ag has no degenerate roots in F p (a). So the classical discriminant of / + ag (where 
the coefficients are considered as polynomials in a) is a polynomial in a that is not identically 
zero. Furthermore, from Definition 12.61 Res(d,d_i) (/ + ag, f + ag') G F p [a] has degree at most 
d + d — 1 —2d — 1. So by Lemma |2.2[ the classical discriminant of / + ag is non-zero for at 
least 1 — of the aGF p . Thanks to Lemma [277] we thus obtain that f + ag is square-free 

for at least a fraction of 1 — ^— of the aGF„. ■ 

Appendix C: The Proof of Lemma H~2l 

A Boolean circuit can be viewed as a straight-line program using Boolean variables and 
Boolean operations. One can replace the Boolean operations by polynomials over F 2 : 

X\ A £2 = £1^2 

%1 V X 2 = X\ + X 2 + X\X 2 
->2l = 1 — X\ 

Hence a straight-line program for a Boolean function of size L with d inputs can be converted 
into a straight-line program for a polynomial f(x , x x , • ■ ■ , Xd-i) G F 2 [x , Xi, ■ ■ ■ , Xd-i] of size 
0{L). 
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Let b(x) be an irreducible polynomial of degree d over F 2 . Let a be one root of b(x). 
Then {1, a, a 2 , . . . , a d_1 } is a basis for F 2 d over F 2 . Then any element xGF 2 d can be written 
uniquely as x = xo + x±a + • • ■ + Xd-id d ~ l , where Xi G F 2 for all i. So we obtain the system 
of linear equations 



"l 


a 


a d ~ l ' 








X 


1 


a 2 ■ 


■ a 2 ^ 








x 2 


1 


a A ■ 


■ a 4 ^- 1 ' 




X2 




4 

X 


1 


nd-l 

cr 






Xd-1. 




x 



The underlying matrix is Vandermonde and thus non-singular. So we can represent each Xj 
as a linear combination of x, x 2 ,x 2 , . . . , x 2 over F 2 d. Replacing each Xj by the appropriate 
linear combination of high powers of x, in the SLP for /, we obtain our lemma. ■ 
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